“If you know the enemy and know yourself,
you need not fear the result of a hundred battles.
If you know yourself but not the enemy,
for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself,
you will succumb in every battle.”
~ 6th century BC, the great Chinese general Sun Tzu
Make no mistake about it: when it comes to online security, we are at war with a skilled and determined enemy. How YOU Protect You teaches you to know yourself by comparing your digital lifestyle and habits with those we strongly suggest. Below, we will help you better know the enemy so you can overcome them.
Who are they?
When we say the word “hacker”, “fraudster”, or “cybercriminal”, what images does it conjure? A geeky guy with unkempt hair and glasses? Some slickly dressed but somehow smarmy “snake-oil salesman”? A kid with too much time on her hands? While we are certain that some hackers, fraudsters, and cybercriminals fit those perceptions, who they really are might surprise you.
Hackers are not just freelance computer geeks making a score here and there and spending the money on video games. Most of these cybercriminals are highly intelligent, highly motivated, highly educated, and highly paid. Some work for nations like China, Nigeria, Iran, and North Korea; terrorist organizations like Al-Quaeda, Hamas, and Hezbollah; or “hack‑tivist” groups like Mysterious Team Bangladesh, NoName057, Infinity Team, and Anonymous Russia. Others work for organized criminal enterprises like the Russian Mafia. Still others are employed by corporations, hired to steal information from competitors.
Cybercrime is big business. Jeff Multz, a world-renowned security evangelist, frequently reminds us that if all the annual revenues from online theft were combined into a single company, it would be the largest corporation in the world, dwarfing behemoths like Big Oil and Wal‑Mart. Where do all these revenues come from? From people like you. Just like you. And if you are not very careful, you may end up contributing directly to their success.
It is a sobering thought, but as the saying goes, forewarned is forearmed. Know your enemy and you can overcome him.
Now that you know who the Bad Guys are, let’s look at some of the tactics they use against you. Bear in mind that this is a general overview; new tactics are being developed all the time. However, the overall strategy remains the same: to take what belongs to you for themselves.
Remember that, fundamentally, these are con artists, masquerading as something favorable or benign. When a website, email, phone call, or text comes from the Bad Guys, these trademark tactics can tip their hand:
- Gaining your confidence: The fraudster will claim to be from the Bank or other organization you know and trust, and can even spoof a phone number or text message so it looks like it is coming from that organization.
- Presenting a believable situation:
- “We are from the JPSCB Fraud Department. Did you make a $395.99 charge to Walmart in Sarasota, Florida? You did not? Don’t worry! I can help you get your money back!”
- “Click Here to be directed to our new site to verify your information!”
- “We are doing a system upgrade and need to confirm your information.”
- Invoking high-pressure claims (or threats): Often using fear, they attempt to create a sense of urgency, claiming for example: “If we don’t confirm your debit card number, your card will be deactivated!”
- Faking a resolution afterwards: You might get a “Thank You” or “Virus Removed” message…or nothing at all!
Social Engineering occurs when a hacker calls you on the phone, pretending to be from the bank, and tries to trick you into giving out your username, password, and/or one-time-PIN. Anyone who asks for your password or PIN is a hacker!
IT folks, for whatever reason, are not the world’s greatest spellers. Phishing (pronounced “fishing”) is a technique where the cybercriminal sends an email message that contains a link to a malicious site or an attachment with malware hidden within it.
This is a newer form of malware that tricks you into installing a virus on your computer. There are many variations on how scamware manifests itself, but here is an example:
A message appears on your computer stating, “You’ve been infected with SomeSuperVirus” and telling you to “Click Here” so “Windows Security Program” will remove it and scan your system to be sure it’s safe. You are asked to pay $29.95 (or a similar figure) to download the program that “fixes” it. Of course, the virus that the scamware “detects” is fake, and the program you download and pay for is more spyware — when it “removes” the nonexistent virus, it’s actually installing lots of undetected malware on your system.
Vishing is phishing over a phone call (hence the “v” for “voice”). The fraudster calls, pretending to be from the Bank, and asks for personal information. Remember, the Bank already has your information! Although we will ask you to identify yourself with personal information if you call us (since hackers try to scam us, too), we will never call, email, or text you out of the blue to request information we already have.
This technique is a very common and more aggressive form of malware. Ransomware takes over your computer, deletes/encrypts your backups, and locks your files so you cannot use them unless you pay the hacker… and paying the hacker does not always solve the problem. It is vital to keep your system patched, have multiple air-gapped backups, and install next-gen antivirus/antimalware software to protect against malware.
SMiShing is a term for phishing over text (SMS). The fraudster will send a text message to your cell phone, pretending to be from the Bank, and try to trick you into clicking a link or texting information back to him.
Beware of letters in the mail that contain checks, calls claiming you’ve won the Canadian Lottery, faxes, Secret Shopper ads, and other older technology communications that promise you large sums of money for a small, up-front fee. As a general rule, do not give out information or your debit card number as a response to unsolicited communications.